I just read a few articles about a new Grub vulnerability. The article said that you can bypass the password protection by pressing backspace twenty eight times.

I am a security guy and I am concerned about the vulnerability, so I would like to know what measure is GNU and Linux taking? Is there a security update/fix/patch and can I do anything myself to keep my computer secure? I always keep my OS, web browser, and programs up to date, so will that help?

It's a integer underflow bug where GRUB doesn't correctly check how much characters are left when you press backspace, and as a result it's erasing characters even though there's nothing more to erase, and by some low level black magic it manages to damage enough of its own memory to trigger an exception and bring up the rescue console while still leaving enough memory intact so that it can still work. I'll leave it to an experienced C developer to provide a detailed answer but here's a link with lots of details : hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
– André BorieDec 18 '15 at 0:55

Exploiting this vulnerability requires physical access to the computer during startup - Not necessarily. For a while I had linux boxes attached to a serial console server, that was accessible via dialup modem for OOB. If an attacker was able to bypass the console server authentication, and then wait for a reboot, or force one, they could exploit things remotely. There are also KVM over IP setups that, if improperly configured might permit remote console access without any other physical access. Anyway, this type of setup, is very uncommon these days.
– ZoredacheDec 18 '15 at 18:29

Your question is the first I've heard of this. Based on the articles you presented though you're probably plenty safe for 2 reasons:

A) The first article you linked says that the major distros have already patched this. If you keep up to date like you said, it should be fine. If not, the same article says the researchers who found the bug have released a patch you can install yourself

B) The attack isn't against the Linux kernel, it's against the bootloader. That means an attacker needs to have access to your machine itself, not just network access to it. So unless you have friends or family who are inclined to hack your computer while you sleep you should be safe.

Bonus) Once you have the physical access to a computer which you'd need for a hack like this (barring weird setups like network KVM switches) there are easier ways to gain control of the machine

Many of your popular network KVMs are built into LOMs and can also do things like attach virtual USB or CD-ROM media or adjust boot order, so if someone's got admin access to one, it's pretty much game over regardless.
– Charles DuffyDec 18 '15 at 1:26

@wizzwizz4, ...yes. If I'm given the choice between plugging in a piece of bootable media I prepared and has a known set of software vs depending on the target system to have a specific, vulnerable bootloader, I'm going to carry my own media in (or attach it over the LOM, or such). Just getting a bootloader may not buy you much -- in these modern times when you need an initramfs to load half your drivers, not every distro makes it as easy as init=/bin/sh or single.
– Charles DuffyDec 18 '15 at 16:25

1

...now, "easy" is admittedly a thing -- not all that hardware is cheap. (Then again, if it's good enough to get a record of keystrokes pressed, cheap will do fine).
– Charles DuffyDec 18 '15 at 22:44

1

I'm actually about to be getting hardware with the latest major release of AMI's Aptio, and you just gave me some small glimmer of hope that maybe I can coax firmware-level networking into working this time. Thank you. :)
– Charles DuffyDec 18 '15 at 23:33